b'                                                             UNITED STATES DEPARTMENT OF COMMERCE\n                                                             The Inspector General\n                                                             Washington, D.C. 20230\n\n\n\n\nApril 25, 20 12\n\nThe Honorable Darrell lssa \n\nChairman \n\nCommittee on Oversight and Government Reform \n\nU.S. House of Representatives \n\nWashington, DC 20515-6143 \n\n\nDear Mr. Chairman:\n\nIn response to your request of April 5, 2012, we are providing current information on our\noffice\'s open and unimplemented recommendations, including:\n\n   \xe2\x80\xa2 \t The number of open and unimplemented recommendations (see enclosure I);\n   \xe2\x80\xa2 \t The issue date and estimated cost savings of those recommendations with associated\n       estimated cost savings (see enclosure 2);\n   \xe2\x80\xa2 \t Our three most important open and unimplemented recommendations (including, for\n       each, its status, any associated cost savings, and bureau plans for 20 12 implementation;\n       see enclosure 3); and\n   \xe2\x80\xa2 \t The number of recommendations that our office has deemed accepted and implemented\n       during the time period from April 30, 20 I I, to April 20, 2012 (see enclosure I).\n\nAs requested, we also identified what we consider to be the three most important\nunimplemented recommendations we have made to the Department or its bureaus (for further\ndetails, see enclosure 3):\n\n   I. \t Recommendations related to the National Oceanic and Atmospheric Administration\'s\n        (NOAA\'s) National Marine Fisheries Service, including those we reported in February\n        2012 and January 20 I0 (the February 2012 recommendations entail cost savings that we\n        have estimated in enclosure 2);\n   2. \t Recommendations related to NOAA\'s environmental satellite programs, including those\n        we reported in September 20 I I and November 2007; and\n   3. \t Recommendations related to the Department\'s IT security, including those we reported\n        in October 20 I I and November 20 I I.\n\x0cIf you have any questions or require additional information, you or your staff may contact me at\n(202) 482-4661 or Ann Eilers, Principal Assistant Inspector General for Audit and Evaluation, at\n(202) 482-2754.\n\nSincerely,\n\n\nr(~ -3.. ______.\xc2\xad\nTodd J. Zinser\n\nEnclosures\n\ncc:    The Honorable Elijah E. Cummings, Ranking Minority Member\n\x0cEnclosure I: OIG\'s Open and Unimplemented Recommendations Since 2007\n\n                                      Recommend ation s    Recom m endations     Recommendations\n  Calen dar       Recomme nda tions\n                                           Still                 Still             Implemented\n   Year                Made\n                                           Open             Unimple mented      Since April 29, 20 II\n     2007                187                   0                    3                     0\n     2008                143                   0                    0                      I\n     2009                100                   0                    2                    30\n     2010                 93                   0                   43                    24\n     2011                 66                   0                   61                     5\n     2012\'                53                  25                   53                     0\n    Total               642                   25                  162                    60\n\xe2\x80\xa2 As of Apri120, 2012\n\nWe compiled this table by reviewing all performance audit, evaluation, and inspection reports\nwe issued during the period of January I, 2007, through April 20, 20 12. We have not included\nclassified or sensitive nonpublic recommendations, recommendations in financial statement\naudits, or those addressed to specific nonfederal entities in connection with audits of financial\nassistance awards.\n\nAfter OIG issues a final report, a bureau has up to 60 days to submit a corrective action plan\nfor OIG\'s approval. The 25 "open" recommendations from 2012 reports are due to\n\n    \xe2\x80\xa2 \t 4 reports with 16 recommendations for which the bureaus have not yet submitted\n        corrective action plans as of April 20, 20 12, and\n    \xe2\x80\xa2 \t I report with 9 recommendations, whose corrective action plan is still being reviewed\n        byOIG.\n\n"Unimplemented" recommendations have approved action plans, but the bureau has not yet\ncompleted its implementation of the recommendations.\n\x0c    Enclosure 2: Recommendations That Have Associated Estimated Cost Savings\n    Two recommendations from More Aaion Needed to Improve Controls in Asset Forfeiture Fund\n    (OIG-12-0 19-1), issued on February 8, 2012, have estimated cost savings associated with them\n    (see table, below):\n\n                                             .                                        Est~mated Cost\n                                Recommen d ation                                              \xc2\xb7\n                                                                                          5 avmgs\n       We recommend that the Under Secretary of Commerce for Oceans\n       and Atmosphere require that NOAA\'s Office of Law Enforcement\n                                                                                          $871,000 \n\n       (OLE), the Enforcement Section, and NOAA Finance implement a\n                                                                                       funds to be put \n\n       process to ensure that deposit account\' cases are periodically\n                                                                                        to better use \n\n       reviewed and that legally resolved cases are transferred from the\n       deposit account or returned to a respondent in a timely manner.\n       We recommend that the Under Secretary for Oceans and\n       Atmosphere require that Enforcement Section and NOAA Finance                     $3.9 million\n       develop policies and procedures to consistently pursue collection of          unsupported costs\n       fines and penalties in a manner that treats all respondents uniformly,          and write-offs\n       and in compliance with the Debt Collection Improvement Act of 1996.\n\n\n\n\n1\n  The "deposit account" holds proceeds that are pending legal determination from the sale of property seized by\nOLE agents. Once a case has a determination, funds should be moved from the deposit account in accordance with\nthe legal disposition-either by returning money to the respondent or transferring money to one of NOAA\'s\nmarine resource funds.\n\x0cEnclosure 3: OIG\'s Top Three Open and Unimplemented Recommendations\n\nRecommendations related to NOAA National Marine Fisheries Service, including\nthose reported in More Action Needed to Improve Controls in Asset Forfeiture Fund\n(OIG-12-0 19-1), February 8, 20 12, and Review of NOAA Fisheries Enforcement\nPrograms and Operations (OIG-19887), January 21, 20 I 0\n\nThe asset forfeiture fund (AFF), the focus of our February 20 12 report, contains proceeds from\nmarine resource violations that are expendable under the guidelines of the Magnuson-Stevens\nFishery Conservation and Management Act, section 311 (e)( I). An independent audit firm\ndetermined the AFF to have a $13.6 million asset balance ($7.5 million in unrestricted cash) as\nof March 3 I, 20 I I. In previous OIG reports from January and July 20 I0, we addressed concerns\nthat revealed several weaknesses in NOAA\'s management of and internal controls over the\nAFF. This year\'s review examined whether NOAA properly defined AFF assets and their\nallowable uses-and developed controls over collections and disbursements. The review also\nexamined whether the audit plan of the AFF financial statements, compiled by an independent\nauditor, could provide reliance on the AFF cash balances as of March 3 I, 20 I I.\n\nWe found that NOAA (I) lacks appropriate controls to assure the receipt and accurate\nrecording of proceeds and (2) has not accurately recorded or adequately pursued all fines and\npenalties. We also noted that the AFF does not contain all NOAA collections for marine\nresource violations. In addition, we described NOAA\'s accounting for the use of fines and\npenalties from Northeast Multispecies Fishery Management Plan violations, as well as provided\nclarification of AFF data inflow and outflow.\n\nOur recommendations pertained to NOAA\'s Office of Law Enforcement (OLE), NOAA\'s\nOffice of General Counsel Enforcement Section (GCES), and NOAA Finance. We\nrecommended that OLE train agents and enforcement technicians on AFF collection\nprocedures and policies; implement procedures for enforcement action reports; and evaluate\nthe Law Enforcement Accessible Database System internal control and access issues. Further,\nwe recommended that OLE and GCES develop policies and procedures to address payment\nissues. GCES should also coordinate handling of its lockbox submissions; develop policies and\nprocedures for Commerce Business System debt recording (and independent monitoring for\namounts not yet recorded); and standardize case monitoring. Finally, we recommended that\nOLE, GCES, and NOAA Finance implement a process to ensure periodic review timely transfer\nof cases-and GCES and NOAA Finance develop policies and procedures to pursue collection\nin a uniform manner in compliance with the Debt Collection Improvement Act of 1996.\n\n   Status of recommendations: Our recommendations are unimplemented at this recent\n   stage.\n\n   Estimated cost savings: Implementation of two of these recommendations would entail\n   $871,000 in funds to be put to better use and $3.9 million in questioned costs (see\n   enclosure 2 for further details).\n\x0c   Plans to implement recommendations in near future: We received NOAA\'s action\n   plan addressing these recommendations but need further discussion with NOAA before\n   accepting the final plan.\n\nOur January 20 I0 report responded to NOAA\'s June 2009 request for OIG review of the\npolicies and practices of the Office for Law Enforcement (OLE) within the National Marine\nFisheries Service (NMFS), along with the NOAA Office of General Counsel for Enforcement\nand Litigation (GCEL; later renamed Office of General Counsel Enforcement Section, or\nGCES)-prompted in part by concerns raised by members of Congress and elected state\nofficials about NOAA\'s Northeast Region. We focused on (I) how OLE and GCES conduct\nenforcement operations; (2) the OLE and GCES processes for establishing enforcement and\npenalty priorities; and (3) NOAA\'s enforcement resources, including management and use of\nfunds obtained through imposed penalties.\n\nThe significant unimplemented recommendation from the January 20 I0 report stated that\nNOAA should determine whether it is maintaining an appropriate balance and alignment of\nuniformed enforcement officers and inspectors and criminal investigators.\n\n   Status of recommendation: This recommendation remains unimplemented.\n\n   Estimated cost savings: This recommendation has potential for cost savings, depending\n   on the particular changes that the new workforce plan suggests. At this stage, we cannot\n   precisely estimate specific cost savings associated with these improvements. However,\n   NOAA\'s draft workforce analysis reports that NOAA paid $2.8 million in law enforcement\n   availability pay for noncriminal investigative work.\n\n   Plans to implement recommendation in near future: NOAA has only recently\n   prepared a draft workforce analysis in response to our recommendation; NOAA has\n   communicated that it expects to finalize the document by July 20 12-more than 2 years\n   subsequent to our recommendation.\n\x0cRecommendations related to NOAA environmental satellite programs, including\nthose reported in Joint Polar Satellite System: Challenges Must Be Met to Minimize\nGaps in Polar Environmental Satellite Data (OIG-1 1-034-A), September 30, 20 I I, and\nSuccessful Oversight of GOES-R Requires Adherence to Accepted Satellite Acquisition\nPractices (OSE-18291 ), November 20, 2007\n\nOur September 20 I I audit reviewed the Joint Polar Satellite System OPSS) program. In\nFebruary 20 I0, the White House\'s Office of Science and Technology Policy decided to have\nNOAA partner with NASA to establish JPSS-which, at that time, planned to launch two\nsatellites at an estimated cost of $11.9 billion to collect data for short- and long-term weather\nand climate forecasting through 2026. On October 28, 20 I I, NASA launched the Suomi\nNational Polar-orbiting Partnership (NPP) satellite that will now be used operationally to\nmaintain continuity of data from the afternoon orbit.\n\nOur review found, among other things, that NOAA\'s ground system for NPP is not as robust\nas a typical operational system. Until NOAA establishes backup ground system capabilities,\nsatellite control is vulnerable to severe events (e.g., natural disasters, large-scale\ntelecommunications outages, or equipment failures) that could disrupt the mission management\ncenter\'s ability to control the satellite. In addition, NPP\'s ground station has the system\'s only\nscience data downlink (i.e., the only means to transmit a signal from the satellite to the ground\nstation).\n\nOne significant recommendation remains unimplemented: to mitigate the risks of using NPP\ndata operationally, determine the feasibility of establishing an alternate mission management\ncenter and an additional science data downlink for NPP as soon as possible.\n\n    Status of recommendation: According to NOAA officials, the bureau has commissioned\n   studies to develop an alternate mission management center and aims to have it ready well in\n   advance of the first JPSS satellite OPSS-1) launch.\n\n   Estimated cost savings: While we cannot yet project specific cost savings, NOAA\'s\n   implementation of our recommendation should help prevent loss of life and property-by\n   ensuring the availability of critical data needed to predict severe weather events is available.\n\n   Plans to implement recommendation in near future: NOAA expects the feasibility\n   study to be completed by July 31, 20 12.\n\nOur November 2007 review focused on the Geostationary Operational Environmental Satellite\n(GOES-R) program. In 2005, the Department and NOAA assumed oversight and management\nresponsibility for the entire GOES-R program, now projected to cost $10.9 billion for four\nsatellites that will enable uninterrupted short-range severe weather warning and "now-casting"\nthrough 2036. Since then, NOAA-rather than NASA- has led GOES-R\'s program\nmanagement and acquisition, thus leaving the Department with direct oversight authority for\nboth the ground and space segments. These new roles have added risk to an already highly\ncomplex undertaking. Our review found that the Department lacked a workable oversight\nstructure-not just for GOES-R but for all major acquisitions.\n\x0c    The following recommendation remains unimplemented: complete and implement the\n    Department\'s major system acquisition policy and, for satellite programs, ensure the policy\n    incorporates the key decision points in NASA Procedural Requirements (N PR) 7120.5D 2 and\n    requires comprehensive independent reviews at all key decision points.\n\n       Status of recommendation: The Department agreed to develop a major system\n       acquisition policy by the third quarter of FY 2008. It did not meet the deadline.\n\n       In June 20 I0, the Department created a new process to manage acquisitions and reduce risk\n       called the "Commerce Acquisition Framework." In February 20 12, the Department\n       identified steps regarding changes to acquisition policy. It also plans to pilot major\n       investment projects-including those concerning NOAA satellites, 2020 Census, and cyber\n       security-through this process and release a framework policy in June 2012.\n\n       Estimated cost savings: With an estimated $23 billion for the Department to spend on\n       GOES-Rand the Joint Polar Satellite System-two critical environmental satellite systems\xc2\xad\n       over their life cycle, plus $2.5 billion annually in major IT investments alone, the\n       Department must have an effective oversight program in place. The benefits gained by\n       implementing our recommendation may result in cost savings; however, we cannot yet\n       project a specific amount.\n\n       Plans to implement recommendation in near future: As noted above, the \n\n       Department plans to update its policy in June 20 12. \n\n\n\n\n\n2\n    NPR 7120.50 is a NASA policy that NOAA has adopted for its satellite acquisition activities.\n\x0cRecommendations related to the Department\'s IT security, including those\nreported in Improvements Are Needed for Effective Web Security Management (OIG\xc2\xad\n12-002-A), October 21, 20 I I, and FY 20 I I Federal Information Security Management\nAudit: More Work Needed to Strengthen IT Security Department-Wide (OIG-12-007\xc2\xad\nA), November I 0, 20 I I\n\nIn support of our fiscal year (FY) 20 I I Federal Information Security Management Act (FISMA)\naudit, our office issued two reports. Each identified specific issues with the Department\'s IT\nsecurity program and included recommendations for improving the Department\'s overall IT\nsecurity posture.\n\nFor our October 20 I I audit, our office assessed the effectiveness of security measures\nimplemented on a selected subset of 15 of the Department\'s public-facing websites. Our\nassessment identified significant vulnerabilities resulting from inadequate software development\npractices, improper software configuration, and failure to install system updates in a timely\nmanner. We found critical vulnerabilities in 80 percent of web applications we reviewed. The\nmajority of web applications have well-known website vulnerabilities, misconfigured back-end\ndatabases, and outdated software that support them. Combined, these security weaknesses put\nboth web applications and users\' computers at greater risk of compromise, resulting in\ndisruption of services or unauthorized disclosure of sensitive information.\n\nTwo of our recommendations remain unimplemented-that the Department\'s chief\ninformation officer (a) work with operating unit senior management to ensure that bureaus\nexpand the Department\'s vulnerability scanning to include application-level assessments and\n(b) utilize security best practices (e.g., users\' input validation) for publicly accessible web\napplications to ensure that only legitimate information is accepted.\n\n    Status of recommendations: The above two (of the report\'s three) recommendations\n    have not been completely implemented.\n\n    Estimated cost savings: Implementation of our recommendations will improve the\n    Department\'s processes for securing its web applications. Avoiding hardware and software\n    compromise, as well as service disruption, will certainly lead to more efficient operations.\n    However, we cannot yet estimate particular cost savings associated with these\n    improvements.\n\n    Plans to implement recommendations in near future: The Department plans to\n   complete implementation of our recommendations by the end of FY 20 12.\n\nOur November 20 I I audit assessed the security of I0 information systems selected from three\nDepartmental bureaus: five from NOAA, three from the U.S. Patent and Trademark Office, and\ntwo from the Census Bureau. The bureaus categorized these systems as high- or moderate\xc2\xad\nimpact, based on how severely a security breach would affect organizational operations, assets,\nor individuals. We identified deficiencies in fundamental aspects of security planning and\nsignificant security control weaknesses. These include continued failure to implement key\ncontrols governing access, securely configure components, patch vulnerable software, and audit\nand monitor system events. Flaws remain in the Department\'s process for reporting and\n\x0ctracking the remediation of IT security weaknesses. Overall, the Department needs to manage\ninformation security with greater rigor and consistency.\n\nOne of our recommendations for improving the Department\'s information security program\nand practices remains unimplemented: we recommended that the Department develop a\nsecurity planning checklist, or other planning tool, to help system owners and authorizing\nofficials complete and maintain comprehensive security plans.\n\n   Status of Recommendation: The above recommendation (one of the report\'s three) has\n   not been completely implemented.\n\n   Estimated Cost Savings: Implementation of our recommendation will improve the\n   Department\'s processes for identifying and remediating security vulnerabilities-and\n   improve its process for authorizing systems to operate. These improvements may result in\n   cost savings; however, we cannot yet project a specific amount.\n\n   Whether agency plans to implement the recommendation in the near future:\n   The Department plans to implement our second recommendation during the fourth quarter\n   of FY 2012.\n\x0c'